>> Saturday, November 24, 2012

Introduction

Lately I encountered a configuration tweak I was not aware of, the
problem: I had a single Java installation on a Linux machine from which
I had to start two JVM instances - each using a different set of JCE
providers. A reminder: the JVM loads its security configuration,
including the JCE providers list, from a master security properties
file within the JRE folder (JRE_HOME/lib/security/java.security), the
location of that file is fixed in the JVM and cannot be modified. Going
over the documentation (not too much helpful, I must admit) and the
code (more helpful, look for Security.java, for example here) reveled the secret.

security.overridePropertiesFile

It all starts within the default java.security file provided with the
JVM, looking at it we will find the following (somewhere around the
middle of the file)

## Determines whether this properties file can be appended to# or overridden on the command line via -Djava.security.properties#
security.overridePropertiesFile=true

If the overridePropertiesFile doesn’t equal to true we can stop here -
the rest of this article is irrelevant (unless we have the option to
change it – but I didn’t have that). Lucky to me by default it does
equal to true.

java.security.properties

Next step, the interesting one, is to override or append configuration
to the default java.security file per JVM execution. This is done by
setting the 'java.security.properties' system property to point to a
properties file as part of the JVM invocation; it is important to
notice that referencing to the file can be done in one of two flavors:

Overriding the entire file provided by the JVM - if the
first character in the java.security.properties' value is the equals
sign the default configuration file will be entirely ignored, only the
values in the file we are pointing to will be affective

Appending and overriding values of the default file - any
other first character in the property's value (that is the first
character in the alternate configuration file path) means that the
alternate file will be loaded and appended to the default one. If the
alternate file contains properties which are already in the default
configuration file the alternate file will override those properties.

Be Carefull

As an important configuration option as it is we must not forget its
security implications. We should always make sure that no one can
tamper the value of the property and that no one can tamper the
alternate file content if he shouldn't be allowed to.

Eyal, My purpose is really to eliminate overriding. So I plan to change that the default 'true' value to 'false'. For local connections that is sufficient to prevent overriding of system properties. However, that does not work for remote connections using RMI. Any advice with respect to RMI? Thanks!

Thanks for sharing this informative blog about Java. Your information is really useful for Java begginer. I wish to be a regular contributor of your blog, can you please update your blog with advanced Java techniques. Java is one of the popular technologies with improved job opportunity for hopeful professionals. Training on java helps you to study this technology in feature. Those who want to become a Java developer in a short period of time reach FITA, which offer best Java Training in Chennai with years of experienced professionals.